3962307b2873339db9a9965c682a5c1451965434765043e347ab688eaebe3f06

General

Target

aff848155fb6090388d6147ff867474b_JaffaCakes118.docm
Size

382KB
MD5

aff848155fb6090388d6147ff867474b
SHA1

959294a546532204cad345d2f88673fade6ce4b0
SHA256

3962307b2873339db9a9965c682a5c1451965434765043e347ab688eaebe3f06
SHA512

56656844ca4697564a0ee6a80a15ad32f6aaab5a5373e4f6e98d874cc00be4dfc6ac9795488f22dd6bc6adbb924b5b3c3c044b8be4e74808ce38ca235f1cb793
SSDEEP

6144:d/2GQYO2wfyqUBDD5LpUuTSVbkecVQYP3yil1s8HsDsXAYeTkpoCz7Jcr:d+RaqUBDDppUugqiYKaBYs1pok7ir

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\http:\bit.ly\1_loadingH7TvJa	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2544	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2544	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2544	WINWORD.EXE
2544	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2016	2544	WINWORD.EXE	32
PID 2544 wrote to memory of 2016	2544	WINWORD.EXE	32
PID 2544 wrote to memory of 2016	2544	WINWORD.EXE	32
PID 2544 wrote to memory of 2016	2544	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aff848155fb6090388d6147ff867474b_JaffaCakes118.docm"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4415EDDA-43A3-4739-86B0-897BFE68B6D3}.FSD

Filesize
128KB

MD5
2c10355ac45742bc10cd0b1f36bb71d9

SHA1
2d2c6ce0a9a2443b887711372e297cec13fb9353

SHA256
d9da4255dddfe740190f1c6b100176d55aed6c0fd71f75fd63d1be7010ebcd1c

SHA512
798cce59bca8fb973e64cf1caf5be6afaab39404016843245c70a3cb088600eb76f2d63d1f999631a60c6bb128a2e5d8a65cd0e0904d2be6047c88988aefafc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
5f3419071e2e283b3a567eb41242c0b5

SHA1
eb8e3d5844da038851c363b1cd4faa5e495c1ddc

SHA256
d1bd9717893ab48ccdf85d2b0cf313b9fdadb7a8c51d378eba7937dff4216d5a

SHA512
74a599cbe1d1244d781d258ccc974b437e5f760ce86e8d16dfc7111b3ab0c6560b3dd3b0f66064a36da67a91d61c44eaf144d4fd7f0a4d7e7b0fe7495c47d2d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{139CBD30-E045-429B-A296-E8897D107876}.FSD

Filesize
128KB

MD5
89aceb8f18e92b4c9e3a67cee95006b8

SHA1
636ac66a46128459a145f0ea8410d6846af138fa

SHA256
1c09fe4071edd8da71c3905e4474227ff215226f89f494e2efcd1ac0721efa13

SHA512
917b801d5874bbd95ecf7c23c4e85031e56e460013b140a4be60716d001c7f4e0ee72ec97c1a312aa81cde4e39ad1e5cf3429cccb8e77ebb7bf3aca31597ccdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B05D737.emf

Filesize
39KB

MD5
c2485d9ae8e561a192571bc6a1285725

SHA1
5547d74bc1ef2ddc668398f07ca34d6b6ad2393c

SHA256
5c3e2dd465a682f147a42238021c54ca029774971f6738d680443af925381166

SHA512
be629b38d008fd7abb6285797dcf6164df09a4f3fd43449f8b49e9bcf9c9270f4795f6fc00b43fe074418099d0a1a7b90d576c9b5d628b8191c8bfcf5cebba2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9FA8848B-8746-48BD-A0D1-102BB8A092CC}

Filesize
128KB

MD5
83dc1b7eab09eb0fdf06250aadc10932

SHA1
f8dcb5241cb8bdd4fbb6498e2ea7af4bd019f72f

SHA256
30585ab71f00fe9e7872cf47dcfd39699938fe4796064149975e5f9c7106ce84

SHA512
ae6ce30872a250d8e6214a9bdb435df87311bb5a261e5fb7869807509026dca9353674261b95ba79cd6c509303711ae0ffe5a7e4d459c371daf2f986e9c7c011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
77139e07915712025cb21eac8f050cae

SHA1
9ed6950cfe27f64f25aabead2c60188c980374e9

SHA256
5acf3d2982c1614edb383c823bcfef61a636b753da9439160130280450cb7f6b

SHA512
2463d6ab06d5242dcdb6c3318cb6c63b47a11ffd6c0b840fe3604cf609edc277c57b894dcc7205722db90969acfae71cce38db43e469148519806f11288c3c29

Download Submit
memory/2544-0-0x000000002F1D1000-0x000000002F1D2000-memory.dmp

Filesize
4KB

Download
memory/2544-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2544-2-0x00000000739CD000-0x00000000739D8000-memory.dmp

Filesize
44KB

Download
memory/2544-82-0x00000000739CD000-0x00000000739D8000-memory.dmp

Filesize
44KB

Download
memory/2544-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2544-108-0x00000000739CD000-0x00000000739D8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing